Cyber attackers have had access to Facebook’s internal corporate network for several months, including access to Facebook’s employee usernames and passwords. The breach was conducted in July and September 2015 and possibly in February 2016 and was discovered by a security researcher during penetration testing on the tech giant’s corporate network.

The penetration testing is a series of attempts by a security expert to discover and report vulnerabilities in the cyber security of a website or service. The penetration testing was conducted within Facebook’s Bug Bounty, where the company pays people who discover and informs it about the holes in the system.

Devcore security researcher Orange Tsai has found 7 security bugs within the company’s corporate tools, including a file transfer service. At the same time, it turned out that at least one hacker had breached Facebook and was operating within its corporate network. The researcher explained that while collecting bug details and evidences for reporting to the company, he found some suspicious things on web log. It turned out that the hacker had created a proxy on the credential page to log the credentials of the site employees. The collected logged passwords were stored under web directory so that the hacker could use or collect them every once in a while.

The researcher said that the logged Facebook employee credentials could have given the intruders access to email accounts, virtual private network and other Facebook tools. Fortunately, the user data is stored separately, though it is unclear whether the genuine Facebook employee credentials could have given access to the user data. According to the security expert, there were about 300 logged credentials dated between 1–7, from 1 February, generally [email protected] and [email protected]

The expert alerted Facebook to the hack in the beginning of February. Facebook launched an internal investigation, which concluded a few days ago, allowing the researcher to disclose the details of the hack. Facebook representatives admitted that the software they were using was third party. As the company doesn’t have full control of it, it was run isolated from the systems that host the information users share on the social network. Facebook’s security specialists assured they did this precisely to ensure better security. Finally, the company said that the activity found by the researcher was in fact from another expert participating in Facebook bounty program.